April 2009 Archives

On day four and five of my first RSA Conference, I spent most of the day going to lectures about current and future hacks that are being launched against businesses by cyber criminals. I learned a lot, because, as I've said before, I'm pretty new to the information security domain. For instance, I went to one lecture given by David Barroso of S21sec about common browser hijacking techniques. This was a really interesting session wherein Barroso discussed the following attacks:

These are really dangerous attacks. All of them exploit only the Windows operating system; none of them target Mac, Linux, UNIX, or mobile devices (a characteristic I heard over and over this week). They are installed in drive-by attacks and via email. Sinowal even installs itself into the Master Boot Record (MBR), allowing it to load a driver into the kernel as the OS boots that it uses to hide its files and registry keys and to intercept certain Win32 API calls (e.g., to capture key strokes). Some will also kill the OS after they've stolen sensitive information from the victim (more on this later).

These malware are very clever and dangerous. They jump on the box when you go to some hacker's Web site (e.g., by clicking the link to the Web site of a new Twitter follower or by clicking the unsubscribe link in SPAM). After installing themselves, they wait for you to go to Web sites in their lists of sites they can alter with their own HTML. For instance, a certain SilentBanker variant may be configured to inject HTML into the standard Web page of banks X, Y, and Z. When the user of an infected machine browses to www.BankX.com, it will alter the HTML of it login form to include additional fields used to harvest sensitive data (e.g., mother's maiden name, SSN, first pet's name, DOB, etc.). It will also alter the page to submit the data to some bogus Web page that looks like the bank's saying that the login failed due to a system outage. The private data will be transmitted to a drop site, and the malware may then kill your OS.

After executing this crime, the attacker wants to erase all evidence of how he perpetrated it. To conceal his tracks, the Trojan will delete some system resources that are required for the system to run, effectively killing the OS. For example, the malware might delete ntdetect.com, ntldr, a bunch of device drivers, registry keys like HKCU, etc. After this the OS is totally unusable, the victim calls their IT department (or teenage child) and asks them to reinstall Windows. While doing so, the hard drive is reformatted and the evidence is lost.

So, the lesson here: If your bank asks for a different or large amount of sensitive data while logging in, don't provide it. If you do and your computer stops working shortly thereafter, don't reformat it; call the police and make sure their cyber forensics experts analyze it.

If there is anything I learned this week, it's that we are currently in the middle of a cyber war with virtual cartels and e-terrorist organizations. The civilized world is under attack from terrorist that are utilizing the Internet to rob us. Our children, friends, family, businesses, and governments are all soldiers in this war. Every software engineer is a sergeant with authority over at least a small platoon made up of his or her community. As software developers, we have the skills, duty, and ethical responsibility IMO to protect our families, friends, and employers from the cyber attacks of an immoral and determined advisory.

To this end, we must teach our children, for example, how to use MySpace not insist that they avoid it; they must be taught how to disarm the landmines while under our command or else they'll unknowingly step on them once they're not. We must ensure that we have virus protection software on our computers at all times. We need to insist that our employers prioritize pen testing, threat modeling, and security reviews. More of us engineers need to attend conferences like RSA, and we need to share what we learn at them with our communities. To this end, I will happily (with what little time I have and within reason) answer emails, phone calls, IMs, blog comments, invites to lunches or coffee, and meeting requests to share more about what I learned at RSA this week. You can find my contact info on my Web site if you'd like to take me up on this offer.

The fist is a theme I've been hearing over and over again this week in the various identity-related sessions I've attended. The most obvious mention of it yesterday was in a lecture given by Kevin Kampman and Alice Wang of the Burton Group about role-based access and entitlements management. They said at various points in their presentation that the creation of such a system required a sponsor/advocate in the non-IT side of the business that would fight the political battles. They stressed the importance of this citing various reasons. For example, such a system is needed, after all, for the sole purpose of solving the issues confronting the business, so product will have a huge stake in its capabilities, features, timelines, etc. Balancing these with those of IT and security will be a difficult people-centric journey.

This theme is especially important to security professionals (even for those that identity-management isn't their primary focus) if what Microsoft's John "JG" Chirapurath said later that day is correct that security is rapidly become an identity problem. I don't know for sure (because I'm relatively new to the information security space), but I would imagine that security experts and business people have a relatively hard time getting along; I know IT and business do. So, we have a serious problem: IT and security aren't getting along with business and vice versa, and the successful collaboration of all three is fundamental if organizations are going to meet their objectives without falling prey to the tireless forces of competition and cyber crime. What needs to change for us all to get along better? Humility, commitment to the objectives of the organization by all parties, trust, openness and avoidance of group think, and accountability to name a few.

I talked with more of my fellow attendees yesterday than I did on Monday and Tuesday. Robert McMillian (@bobmcmillan on Twitter) of IDG News Service warned that many vendors are recasting themselves as cloud service providers in hopes of capitalizing on the buzz. I heard this from Jay Chaudhry of Zscaler on Tuesday as well. This isn't a new ploy, but it is one to watch out for of course. I also talked with a gentleman at the VeriSign party I was at last night who's name I didn't catch; he said that he thought cloud computing would have a moderate impact on our society and our businesses but it would not be as profound as some (myself included) are predicting. Who knows how cloud computing will pan out? None of us do, so let's be passionate and excited about technology and its possibilities while simultaneously thinking critically about it. If we all do this, it won't matter how and what cloud computing becomes ;-)

The third big take away from the RSA Conference yesterday for me was a new project called Kantara. This initiative, led by representatives from the OpenID, Information Card, and SAML communities, is seeking to create a digital identity system by conflating the three technologies (i.e., creating an intersection of them as shown in the Venn of Identity). Identity is a really hard problem especially at the Internet-scale and considering what I just mentioned about it being largely a political/people issue. The fact that this project has no barrier for entry indicates to me that the folks behind Kantara get this and understand that the brightest minds must be brought to bear on the problem not just those that work for companies willing to put some cash on the line. This grassroots, bottom-up effort is a tact that I think has a lot of potential to go farther faster, and I support and thank those pioneers who stepped up to the challenge by collaborating on the problem in this way.

I learned a lot today during day two of the RSA
Conference. A lot of it was from one-on-one conversations I had with helpful,
inspiring gentlemen, but I also learned a lot from the keynotes, panel
discussions, and sessions that I attended. There was too much to go into
it all here, but there was one red thread that I heard over and over
today. It was a theme I did not expected to be so dominant andso positive at a conference
full of security buffs, C-level execs, and enterprise architects: cloud computing represents a tremendous
opportunity that is there for the taking.

I heard it described today by one panelist as the technology of the gods.
The president of RSA, Art Coviello, said in his keynote that cloud computing is
bringing our society to a tipping point. After teetering over it, humankind will be complexly
revolutionized.This sentiment was echoed
by Microsoft's Scott Charney.Symantec's
CEO, Enrique Salem, said that the interfaces of some cloud-based software that
will be implemented by many different vendors should be standardized in a collaborative,
open manner.During a panel discussion that
included some of the world's leading cryptographers (Whitfield Diffie, Martin
Hellman, Ronald Rivest, Bruce Schneier, and Adi Shamir), two of the five said
that cloud computing is one of the most compelling and interesting areas that
is occupying a large part of their time, research, and thoughts. Another panel
included Eva Chen, co-founder of TrendMicro, who's been in the security
industry for 21 years and said that cloud computing is the most interesting
development that she has ever seen. The co-founder of America's Growth Capital
investment banking group said that the SaaS market is currently 1.3B in size
and is growing by 17% annually according to an IDC study recently published.Kim Cameron said that the claims-based model
would help support the need to identify users both in the cloud and on-prem.

Some at the conference are voicing their counter views,
however. I've heard some say that they are board with cloud computing as
it's just the resurgence of the mainframe. Others have said that cloud
computing coupled with SSO increases a user's attack surfaces tremendously
should they happen to get infect by a virus that uses SSO to connect to remote
cloud services to perform unbeknownst and undesired operations as them.Some participants have said during open mic
sessions that they would never store their data in the cloud.

In every keynote,
panel, and session, cloud computing came up and usually with a positive tone.

As I mentioned in my last blog post, my day consisted primarily of an all-day session on building an identity management system at the RSA Conference. In the evening, I spent 3+ hours on the expo floor. For the most part, I used my time to talk with the Microsoft product, sales, and engineering folks (including Vittorio!) to understand what Forefront Sterling is and how its different parts work with the sort of STS that my group and I have been creating. After reading the announcement about this the other day, I had dismissed it as nothing more than marchitecture. Marketing it may be, but it isn't something that should be quickly dismissed without fully understanding it. After taking the time to talk with the folks tonight at RSA, I have to say, I was very impressed with their level of expertise and willingness to help me come to this understanding and of the actual solution itself.

I use the term solution here purposefully because that is exactly what Sterling is - an end-to-end solution for system security that integrates with previously available Microsoft products as well as newly acquired ones to provide enterprise-ready security. Sterling, from what I understand after tonight's discussion, integrates the previous version of Forefront with of previously existing or recently acquired products to provide features such as:

A centralized management interface and PowerShell API to tie it all together.

These features, and a truckload of others, are provided by the different products within the suite. Lots of these capabilities were provided previously by existing properties that were consumer-oriented (e.g., AV by OneCare and spyware handling by Defender) or available as a stand-alone product (e.g., Sybari Antigen for Exchange). The rebranding/renaming as Sterling is simply to communicate their newly unified nature.

The products that make up this suite include the following:

Forefront codenamed Sterling (which is a unified management console that works with System Center)

Forefront Client Security (the business-oriented version of Defender, OneCare, and others that tie in with the Sterling System Center management UI to provide host security)

Forefront Edge Security

Identity Lifecycle Manager 2010

Identity Lifecycle Manager

The most exciting piece to me, at least, was Identity Lifecycle Manager. This product isn't new, but it was to me. If you're also new to the product, think of it as SharePoint with custom workflows revolving around identity management. It allows you to define (extensible) workflows that can be triggered by various preexisting or user-created events to launch a workflow that solves a particular challenge related to identity management. Some of the primary use cases that it helps solve include:

Forgotten password,

Replication of identities between heterogeneous directories,

Self-service abilities to be added/removed from Exchange distribution lists, and

Provisioning of user identities.

It helps address the first need by allowing users to choose or define (not sure which) security questions, one of which will be presented to them should they happen to forget their password. These questions are surfaced via a custom GINA that provides a button allowing a user who's forgotten their password to provide the answer to a previously setup security question directly from the typical login screen. (I'm not sure how this would work if you already have a custom GINA like the one provided by Check Point's Pointsec PC.)

Its ability to replicate identities from one directory to another isn't limited to AD and, from what I'm told, allows workflows to be kicked off based on events that occur in other data stores (e.g., SAP). The self-management of subscriptions to distribution lists is integrated into Outlook and can be governed by policies (events and workflows that solve a particular business rule) that require manual approval or not. If approval is required, the list's owner is sent an email where she can approve or deny the request from within Outlook. The automation around user identifies is flexible and extensible via custom WF activities which is good because, based on what Erik Heidt said during the tutorial earlier today, user provisioning is an extremely difficult and time-consuming job that requires an understanding of tribal, undocumented processes.

All of this in one day! What will day two entail? Stay tuned to my blog to read more tomorrow and follow me on Twitter for more frequent updates.

I am currently in San Francisco where I'm attending my first RSA Conference. I'm here to learn more about security as it relates to identity management, cloud computing, and the financial industry in general. To this end, I kicked off my day by attending the Liberty Alliance and Information Card Foundation workshop. I was only able to stay for the first hour of the day-long meeting, but, during that time, I talked with Paul Trevithick, CEO of Azigo and founder of the Information Card Foundation as well as his colleague, Jack Connors. They helped me understand the constituent parts within the Higgins project and their relationship to Azigo and Novel. Through many architectural iterations, he told me that the Higgins community has come to realize that the problem is best solved by a S+S solution which includes a thick-client able to do crypto and a hosted card store. This cloud-based service acts as a rendezvous point and replicates cards between devices. Azigo is hosting this SaaS offering since Higgins, as an OSS project, has no means to provide on-demand, cloud-based software. He also stressed the community's desire to innovate in addition to interoperating with CardSpace; this is leading, he said, to competition with Microsoft which benefits everyone as the vendors sharpen, inspire, and one up each other. Trevithick said that through a lot of hard work and evangelism, he feels that Higgins and Information Cards are finally at the starting line and the big race is about to begin. This jives with the finding of a Gartner report on the matter that I was recently told about. I was very happy to meet Trevithick and Connors, and hope to collaborate more with them in the future.

During the workshop, I also had a brief chance to talk with Christie Bacchus and her associates at PingIdentity about their PingFederate product. It was really helpful because I learned that this product of theirs is what I would call a passive STS or a Federation Provider STS (FP-STS). I was hoping to hook up with them more in the evening to learn if they support browser POST and/or browser artifact (two things I'm just now learning about honestly). I'm guessing both, but it would have been cool to talk to them about bearer tokens, holder-of-key tokens, and their new active STS product. Too bad they didn't have a booth at the convention (which really shocked me).

After this first hour, I spent the day in a 8-hour-long lecture given by Erik Heidt and Dan Houser. It was a really good talk, but it wasn't what I expected. The room seemed to be made up of a lot of CIOs, CTOs, enterprise architects, and other big wigs. I felt (perhaps incorrectly) that I was the only engineer in the room. Though a bit out of my league perhaps, I really benefited from the big-picture perspective that Heidt and Houser shared. I learned that enterprise identity management is really hard and really complex. From my little vantage point where I write my code all day, it doesn't seem that monstrous. But, as Heidt pointed out, building an identity management system is not a technology project. 1/5 of it is, but 20% of it is product management and 60% is all politics. Of that, he advised that most of the engineering effort should be limited to acquiring COTS products and integrating them rather than building such things yourself, especially when it comes to federated identity management. (Ironically, that's exactly what my team and I are building ATM.)

They talked at length about the components of an identity infrastructure:

I could go on and on about the details of their talk, but, alas, I've burnt all of the midnight oil and must call it quits for now. Come back tomorrow for more about my time at the RSA Conference, follow me on Twitter, and check out my other post on day one of the conference.